Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

rootkit-like behavior


  • This topic is locked This topic is locked
6 replies to this topic

#1 G-pop

G-pop

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:26 AM

Posted 23 November 2010 - 09:34 PM

I'm on vacation and my granddaughter asks me to look at her PC as it's acting strange - sometimes reboots without notice. I check the software level and find XP SP2. So I try Windows Update and get the "cannot display the webpage" error message. All flavors of the update result in the same message.

Please note that the ark file is only partial because the PC reboots at about the same point each time I tried to run gmer. So I did a save just prior to the point that I think it was going to reboot yet again.


DDS (Ver_10-11-10.01) - NTFSx86
Run by HP_Owner at 15:32:48.71 on Tue 11/23/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.703.115 [GMT -8:00]

AV: McAfee Anti-Virus and Anti-Spyware *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google\Update\GoogleUpdateBeta.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\lxdxcoms.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\mfevtps.exe
C:\Program Files\McAfee Online Backup\MOBKbackup.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hphmon06.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iConcepts Music Express\MEAutoDetect.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\HP_Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
uWindow Title = Windows Internet Explorer provided by MSN & Bing
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20101122122049.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: HP view: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} - c:\program files\hp\digital imaging\bin\HPDTLK02.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [RegistryBooster] "c:\program files\uniblue\registrybooster\launcher.exe" delay 20000
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [PS2] c:\windows\system32\ps2.exe
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
mRun: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [iTunesHelper] c:\program files\itunes\iTunesHelper.exe
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [HPHUPD06] c:\program files\hp\{aac4fc36-8f89-4587-8dd3-ebc57c83374d}\hphupd06.exe
mRun: [HPHmon06] c:\windows\system32\hphmon06.exe
mRun: [AlcxMonitor] ALCXMNTR.EXE
mRun: [AGRSMMSG] AGRSMMSG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autode~1.lnk - c:\program files\iconcepts music express\MEAutoDetect.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\spysub~1.lnk - c:\program files\intermute\spysubtract\SpySub.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\update~1.lnk - c:\program files\updates from hp\309731\program\Updates from HP.exe
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
Trusted Zone: microsoft.com\*.windowsupdate
Trusted Zone: microsoft.com\windowsupdate
Trusted Zone: windowsupdate.com
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxps://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1290377486986
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1290489321421
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-3-25 386840]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-11-22 84072]
R1 MOBKFilter;MOBKFilter;c:\windows\system32\drivers\MOBK.sys [2010-11-22 54776]
R2 GoogleUpdateBeta;Google Update Service;c:\documents and settings\networkservice\local settings\application data\google\update\GoogleUpdateBeta.exe [2010-11-23 40960]
R2 lxdx_device;lxdx_device;c:\windows\system32\lxdxcoms.exe -service --> c:\windows\system32\lxdxcoms.exe -service [?]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2010-11-21 93320]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-11-22 271480]
R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-11-22 271480]
R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-11-22 171168]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-11-22 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2010-11-22 141792]
R2 MOBKbackup;McAfee Online Backup;c:\program files\mcafee online backup\MOBKbackup.exe [2010-4-13 229688]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-11-22 152960]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-11-22 52104]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-11-22 313288]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-11-22 88544]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-11-22 55840]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-11-22 88544]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-11-22 84264]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2010-11-21 34248]

=============== Created Last 30 ================

2010-11-23 19:25:01 -------- d-----w- c:\program files\McAfeeMOBK
2010-11-23 19:08:56 -------- d-sh--w- c:\documents and settings\hp_owner\IECompatCache
2010-11-23 05:08:45 -------- d-sh--w- c:\documents and settings\hp_owner\PrivacIE
2010-11-23 05:02:30 -------- d-sh--w- c:\documents and settings\hp_owner\IETldCache
2010-11-23 04:24:21 917504 ----a-w- c:\windows\system32\FLASH.OCX
2010-11-23 04:22:29 -------- d-----w- c:\docume~1\hp_owner\applic~1\Azureus
2010-11-22 23:11:32 54776 ----a-w- c:\windows\system32\drivers\MOBK.sys
2010-11-22 23:11:19 -------- d-----w- c:\program files\McAfee Online Backup
2010-11-22 23:09:51 53248 ----a-w- c:\windows\system32\6to4v32.dll
2010-11-22 20:20:48 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-11-22 20:20:34 141792 ----a-w- c:\windows\system32\mfevtps.exe
2010-11-22 20:20:22 84072 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2010-11-22 20:20:21 95600 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-11-22 20:20:21 88544 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2010-11-22 20:20:21 84264 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-11-22 20:20:21 52104 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-11-22 20:20:21 313288 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-11-22 20:20:21 152960 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-11-22 20:20:20 55840 ----a-w- c:\windows\system32\drivers\cfwids.sys
2010-11-22 20:05:54 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2010-11-22 20:05:54 25856 ----a-w- c:\windows\system32\dllcache\usbprint.sys
2010-11-22 19:51:24 87040 ----a-w- c:\windows\system32\wiafbdrv.dll
2010-11-22 19:51:24 87040 ----a-w- c:\windows\system32\dllcache\wiafbdrv.dll
2010-11-22 19:51:23 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2010-11-22 19:51:23 15104 ----a-w- c:\windows\system32\dllcache\usbscan.sys
2010-11-22 04:02:42 -------- d-----w- c:\program files\common files\McAfee
2010-11-22 04:02:38 -------- d-----w- c:\program files\McAfee.com
2010-11-22 04:01:40 -------- d-----w- c:\program files\McAfee
2010-11-22 03:59:59 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2010-11-21 23:07:49 19569 ----a-w- c:\windows\005226_.tmp
2010-11-21 23:07:39 26144 ----a-w- c:\windows\system32\spupdsvc.exe
2010-11-21 22:31:49 331805736 ----a-w- c:\program files\Malwarebytes' Anti-Malware.lnk
2010-11-21 22:30:44 -------- d-----w- c:\windows\system32\CatRoot_bak
2010-11-21 21:15:47 -------- d-----w- c:\docume~1\hp_owner\applic~1\Uniblue
2010-11-21 21:14:18 -------- d-----w- c:\program files\Uniblue
2010-11-21 21:13:43 -------- d-----w- c:\docume~1\hp_owner\locals~1\applic~1\PackageAware
2010-11-21 20:14:14 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-11-21 20:14:13 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-10-31 00:28:23 -------- d-sh--w- c:\documents and settings\hp_owner\UserData
2010-10-30 19:52:18 -------- d-sh--r- C:\cmdcons
2010-10-30 19:52:08 -------- d-----w- c:\windows\setupupd
2010-10-30 19:50:20 221184 ----a-w- c:\windows\system32\wmpns.dll
2010-10-30 19:47:02 184320 ------w- c:\windows\system32\SiSApCom.dll
2010-10-30 19:47:02 110592 ------w- c:\windows\system32\TVMode.dll
2010-10-30 19:46:46 331776 ----a-w- c:\windows\system32\sistray.exe
2010-10-30 19:46:43 -------- d-----w- c:\windows\system32\trayres
2010-10-30 18:26:22 21504 ----a-w- c:\windows\system32\hidserv.dll
2010-10-30 18:26:21 14848 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2010-10-30 18:26:18 9600 ----a-w- c:\windows\system32\drivers\hidusb.sys
2010-10-30 18:26:16 31616 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2010-10-30 16:47:03 -------- d-sh--r- c:\windows\system32\dllcache
2010-10-30 16:24:21 -------- d-----w- c:\docume~1\alluse~1\applic~1\WSTB

==================== Find3M ====================

2010-11-22 01:50:45 3645 ----a-w- c:\windows\viassary-hp.reg
2005-07-30 09:46:26 774144 -c--a-w- c:\program files\RngInterstitial.dll

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: SAMSUNG_SP1604N rev.TM100-24 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x82B78446]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x82b7e504]; MOV EAX, [0x82b7e580]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EDE00] -> \Device\Harddisk0\DR0[0x82BE9560]
3 CLASSPNP[0xF7D3005B] -> ntkrnlpa!IofCallDriver[0x804EDE00] -> \Device\0000005f[0x82B91F18]
5 ACPI[0xF7BC6620] -> ntkrnlpa!IofCallDriver[0x804EDE00] -> [0x82BC9D98]
\Driver\atapi[0x82B61888] -> IRP_MJ_CREATE -> 0x82B78446
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x137; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskSAMSUNG_SP1604N_________________________TM100-24#30533331314a5930313130313232202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x82B78292
user != kernel MBR !!!
sectors 312581806 (+255): user != kernel
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.

============= FINISH: 15:35:29.29 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:12:26 PM

Posted 24 November 2010 - 04:01 PM

Good evening. :)

Take a trip to this webpage for download links and instructions for running Combofix by sUBs.*
  • Please be aware that this tool may require the PC to be rebooted so close any programs you have open before you start.
  • When CF has finished, it will produce a log - C:\ComboFix.txt - copy and paste it into your next reply.
  • Let me know how the PC is behaving.
* There are two points to note from the instructions page:

1) The Recovery Console.

It is recommended that you install this as, in certain circumstances, it may be the difference between a successful repair and a reformat. If you are uncertain as to whether or not you already have the Recovery Console installed, simply run CF and it will prompt you if it does not detect it.
CF will complete some, but not all, of it's removal tasks without the installation of the Console so, should you choose not to allow the installation, you may not get the results you hoped for.

2) Disabling your Anti-Virus.

CF has been the victim of false-positive detections on occasion and a resident AV may incorrectly identify and delete part of the tool which won't do it much good. If you don't disable your AV, you may not get the results you hoped for either.

So long, and thanks for all the fish.

 

 


#3 G-pop

G-pop
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:26 AM

Posted 25 November 2010 - 11:49 PM

ComboFix did the trick. It found and eliminated the rootkit. My only challenge was trying to stop the McAfee Total Protection. If there's an Exit or Stop command I sure couldn't find it. It certainly doesn't exist when I right clicked on the M icon. So I did the only thing I could do and used Task Manager to kill the McAfee processes. The only one I couldn't kill was mcshield.exe Bottom line is that I was now able to install the 80+ updates and all is once again well with the world. Thank you, thank you, thank you.

ComboFix 10-11-23.02 - HP_Owner 11/23/2010 20:21:08.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.703.314 [GMT -8:00]
Running from: c:\documents and settings\HP_Owner\Desktop\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\LocalService\Application Data\Control Commander
c:\documents and settings\LocalService\Application Data\Control Commander\faq\guide.html
c:\documents and settings\LocalService\Application Data\Control Commander\faq\images\05.png
c:\documents and settings\LocalService\Application Data\Control Commander\faq\images\06.png
c:\documents and settings\LocalService\Application Data\Control Commander\faq\images\07.png
c:\documents and settings\LocalService\Application Data\Control Commander\faq\images\08.png
c:\documents and settings\LocalService\Application Data\Control Commander\faq\images\09.png
c:\documents and settings\LocalService\Application Data\Control Commander\faq\images\10.png
c:\documents and settings\LocalService\Application Data\Control Commander\settings.ini
c:\documents and settings\NetworkService\Local Settings\Application Data\Google\Update\GoogleUpdateBeta.exe
c:\program files\cmapp
c:\program files\cmapp\Client\hf.txt
c:\program files\cmapp\Client\rf.txt
c:\program files\cmapp\Client\sf.txt
c:\program files\cmapp\Client\Uninstall.exe
c:\program files\PeoplePC\Toolbar\PPCToolbar.dll
c:\program files\Search Toolbar
c:\program files\Search Toolbar\icon.ico
c:\program files\Search Toolbar\SearchToolbar.dll
c:\program files\Search Toolbar\SearchToolbarUninstall.exe
c:\program files\Search Toolbar\SearchToolbarUpdater.exe
c:\program files\SoftwareOnline
c:\program files\SoftwareOnline\soproc.exe
c:\windows\Downloaded Program Files\dlhelper.dll
c:\windows\Downloaded Program Files\popcaploader.dll
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\system32\6to4v32.dll
c:\windows\system32\certstore.dat
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job
c:\windows\viassary-hp.reg
D:\Autorun.inf

.
\\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Legacy_GOOGLEUPDATEBETA
-------\Service_6to4
-------\Service_GoogleUpdateBeta


((((((((((((((((((((((((( Files Created from 2010-10-24 to 2010-11-24 )))))))))))))))))))))))))))))))
.

2010-11-24 03:35 . 2010-11-24 03:35 723294 ----a-w- c:\windows\unins000.exe
2010-11-24 03:35 . 2010-11-24 03:35 -------- d-----w- c:\program files\Quick Web Player
2010-11-24 02:49 . 2010-11-24 02:49 76440 ----a-w- c:\windows\system32\drivers\pxrts.sys
2010-11-24 02:49 . 2010-11-24 02:49 -------- d-----w- c:\program files\Prevx
2010-11-24 02:49 . 2010-11-24 02:49 -------- d-----w- c:\documents and settings\All Users\Application Data\PrevxCSI
2010-11-23 19:25 . 2010-11-23 19:25 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2010-11-23 19:25 . 2010-11-23 19:25 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Apple Computer
2010-11-23 19:25 . 2010-11-23 19:25 -------- d-----w- c:\windows\system32\DRVSTORE
2010-11-23 18:15 . 2010-11-23 18:15 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-11-23 16:51 . 2010-11-23 16:51 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Identities
2010-11-23 04:24 . 2010-11-23 04:24 917504 ----a-w- c:\windows\system32\FLASH.OCX
2010-11-22 23:35 . 2010-11-23 19:25 -------- d-sh--w- c:\documents and settings\NetworkService\UserData
2010-11-22 23:11 . 2010-04-14 04:10 54776 ----a-w- c:\windows\system32\drivers\MOBK.sys
2010-11-22 23:11 . 2010-11-23 19:24 -------- d-----w- c:\program files\McAfee Online Backup
2010-11-22 20:20 . 2010-10-14 06:28 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-11-22 20:20 . 2010-10-14 06:28 141792 ----a-w- c:\windows\system32\mfevtps.exe
2010-11-22 20:20 . 2010-10-14 06:28 84072 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2010-11-22 20:20 . 2010-10-14 06:28 95600 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-11-22 20:20 . 2010-10-14 06:28 88544 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2010-11-22 20:20 . 2010-10-14 06:28 84264 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-11-22 20:20 . 2010-10-14 06:28 52104 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-11-22 20:20 . 2010-10-14 06:28 313288 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-11-22 20:20 . 2010-10-14 06:28 152960 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-11-22 20:20 . 2010-10-14 06:28 55840 ----a-w- c:\windows\system32\drivers\cfwids.sys
2010-11-22 20:05 . 2004-08-04 07:01 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2010-11-22 19:51 . 2001-08-18 06:36 87040 ----a-w- c:\windows\system32\wiafbdrv.dll
2010-11-22 19:51 . 2004-08-04 06:58 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2010-11-22 04:22 . 2010-11-22 04:22 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2010-11-22 04:11 . 2010-11-22 04:11 -------- d-----w- c:\documents and settings\All Users\Application Data\SiteAdvisor
2010-11-22 04:02 . 2010-11-23 19:24 -------- d-----w- c:\program files\Common Files\McAfee
2010-11-22 04:01 . 2010-11-24 01:25 -------- d-----w- c:\program files\McAfee
2010-11-22 03:59 . 2010-02-18 00:52 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2010-11-22 03:10 . 2010-11-24 01:25 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-11-21 23:07 . 2006-12-29 08:31 19569 ----a-w- c:\windows\005226_.tmp
2010-11-21 23:07 . 2009-01-08 02:21 26144 ----a-w- c:\windows\system32\spupdsvc.exe
2010-11-21 22:31 . 2010-11-21 22:34 331805736 ----a-w- c:\program files\Malwarebytes' Anti-Malware.lnk
2010-11-21 22:30 . 2010-11-21 22:30 -------- d-----w- c:\windows\system32\CatRoot_bak
2010-11-21 21:14 . 2010-11-21 21:14 -------- d-----w- c:\program files\Uniblue
2010-11-21 20:14 . 2010-11-21 20:13 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-11-21 20:14 . 2010-11-21 20:13 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-10-30 19:50 . 2004-08-04 11:00 221184 ----a-w- c:\windows\system32\wmpns.dll
2010-10-30 19:49 . 2010-11-23 22:35 -------- d-----w- c:\documents and settings\HP_Owner
2010-10-30 19:47 . 2004-12-02 05:46 -------- d-----w- c:\windows\system32\config\systemprofile\WINDOWS
2010-10-30 19:47 . 2004-09-24 09:49 110592 ------w- c:\windows\system32\TVMode.dll
2010-10-30 19:47 . 2004-09-24 09:44 184320 ------w- c:\windows\system32\SiSApCom.dll
2010-10-30 19:46 . 2004-09-24 09:47 331776 ----a-w- c:\windows\system32\sistray.exe
2010-10-30 19:46 . 2010-10-30 19:46 -------- d-----w- c:\windows\system32\trayres
2010-10-30 18:26 . 2004-08-04 07:56 21504 ----a-w- c:\windows\system32\hidserv.dll
2010-10-30 18:26 . 2004-08-04 05:58 14848 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2010-10-30 18:26 . 2001-08-17 21:02 9600 ----a-w- c:\windows\system32\drivers\hidusb.sys
2010-10-30 18:26 . 2004-08-04 06:08 31616 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2010-10-30 16:47 . 2010-11-23 19:25 -------- d-sh--r- c:\windows\system32\dllcache
2010-10-30 16:24 . 2010-10-30 16:24 -------- d-----w- c:\documents and settings\All Users\Application Data\WSTB

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-14 06:28 . 2009-03-25 19:06 386840 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2005-07-30 09:46 . 2005-07-30 09:46 774144 -c--a-w- c:\program files\RngInterstitial.dll
2005-06-08 17:11 . 2005-06-08 17:11 1134592 -c--a-w- c:\program files\mozilla firefox\components\rfproxy.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK]
@="{3c3f3c1a-9153-7c05-f938-622e7003894d}"
[HKEY_CLASSES_ROOT\CLSID\{3c3f3c1a-9153-7c05-f938-622e7003894d}]
2010-04-14 04:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK2]
@="{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}"
[HKEY_CLASSES_ROOT\CLSID\{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}]
2010-04-14 04:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK3]
@="{b4caf489-1eec-c617-49ad-8d7088598c06}"
[HKEY_CLASSES_ROOT\CLSID\{b4caf489-1eec-c617-49ad-8d7088598c06}]
2010-04-14 04:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Updates from HP.lnk - c:\program files\Updates from HP\309731\Program\Updates from HP.exe [2004-12-1 45056]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Auto Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Auto Detect.lnk
backup=c:\windows\pss\Auto Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SpySubtract.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SpySubtract.lnk
backup=c:\windows\pss\SpySubtract.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=c:\windows\pss\Updates from HP.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
2004-06-29 17:06 88363 ----a-w- c:\windows\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
2004-09-07 20:47 57344 ----a-w- c:\windows\ALCXMNTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 11:00 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon06]
2004-06-07 18:42 659456 ----a-w- c:\windows\system32\hphmon06.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD06]
2004-06-07 18:53 49152 ----a-w- c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
1998-05-07 16:04 52736 ----a-w- c:\windows\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2004-04-18 03:41 196608 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2004-04-13 21:07 69632 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2004-06-05 03:38 286720 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
2003-02-11 20:02 61440 ----a-w- c:\hp\KBD\kbd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LSBWatcher]
2004-10-14 21:54 253952 ----a-w- c:\hp\drivers\hplsbwatcher\LSBurnWatcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McENUI]
2009-07-08 05:02 1176808 ----a-w- c:\progra~1\McAfee\MHN\McENUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcui_exe]
2010-09-30 21:10 1193848 ----a-w- c:\program files\McAfee.com\Agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
2002-10-16 16:57 81920 ----a-w- c:\windows\system32\ps2.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2004-12-02 05:46 98304 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
2004-04-14 20:43 233472 ----a-w- c:\windows\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 19:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2004-12-02 05:39 180269 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=
"c:\\WINDOWS\\system32\\lxdxcoms.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdxpswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdxjswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdxtime.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdxwbgw.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [11/22/2010 12:20 PM 84072]
R1 MOBKFilter;MOBKFilter;c:\windows\system32\drivers\MOBK.sys [11/22/2010 3:11 PM 54776]
R2 lxdx_device;lxdx_device;c:\windows\system32\lxdxcoms.exe -service --> c:\windows\system32\lxdxcoms.exe -service [?]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [11/21/2010 8:09 PM 93320]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [11/22/2010 12:18 PM 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [11/22/2010 12:20 PM 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [11/22/2010 12:20 PM 141792]
R2 MOBKbackup;McAfee Online Backup;c:\program files\McAfee Online Backup\MOBKbackup.exe [4/13/2010 8:11 PM 229688]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [11/22/2010 12:20 PM 313288]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [11/22/2010 12:20 PM 88544]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [11/22/2010 12:20 PM 55840]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [11/22/2010 12:20 PM 88544]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [11/22/2010 12:20 PM 84264]

--- Other Services/Drivers In Memory ---

*Deregistered* - mfeavfk01
.
Contents of the 'Scheduled Tasks' folder

2010-10-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 18:50]

2010-11-22 c:\windows\Tasks\Easy Internet Sign-up.job
- c:\program files\Easy Internet signup\HPSdpApp.exe [2004-08-13 16:50]

2010-10-05 c:\windows\Tasks\FileTask.job
- c:\program files\FileTask\FileTask.exe [2010-09-14 02:04]

2010-11-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-23 20:49]

2010-11-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-23 20:49]

2010-11-24 c:\windows\Tasks\StartUp_FileTask.job
- c:\program files\FileTask\FileTask.exe [2010-09-14 02:04]

2010-11-24 c:\windows\Tasks\StartUp_FileTask.job
- c:\program files\FileTask\FileTask.exe [2010-09-14 02:04]

2010-10-05 c:\windows\Tasks\Update_FileTask.job
- c:\program files\FileTask\FileTask.exe [2010-09-14 02:04]

2010-11-24 c:\windows\Tasks\vtscheduletask.job
- c:\program files\McAfee\Supportability\MVT\MvtApp.exe [2010-11-24 22:25]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bing.com/?pc=ZUGO&form=ZGAPHP
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: microsoft.com\*.windowsupdate
Trusted Zone: microsoft.com\windowsupdate
Trusted Zone: windowsupdate.com
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-RegistryBooster - c:\program files\Uniblue\RegistryBooster\launcher.exe
AddRemove-Search Toolbar - c:\program files\Search Toolbar\SearchToolbarUninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-23 20:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3380)
c:\docume~1\HP_Owner\LOCALS~1\Temp\IadHide5.dll
c:\program files\McAfee Online Backup\MOBKshell.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\program files\Microsoft Office\OFFICE11\msohev.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\lxdxcoms.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\McAfee\MPF\MPFSrv.exe
c:\program files\McAfee\MSK\MskSrver.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
c:\windows\System32\vssvc.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee\mpf\mc\mpfalert.exe
.
**************************************************************************
.
Completion time: 2010-11-23 20:52:38 - machine was rebooted
ComboFix-quarantined-files.txt 2010-11-24 04:52

Pre-Run: 109,057,929,216 bytes free
Post-Run: 110,292,406,272 bytes free

- - End Of File - - E232FF859F5D81C22501CF09801A360C

#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:12:26 PM

Posted 26 November 2010 - 02:44 PM

Good evening. :)

I think we'll have a second opinion, just to check if anything else is lurking, and then we'll tidy up and you can be on your way.

Download Malwarebytes' Anti-Malware from here and save it to your Desktop - unless you already have it, in which case skip to the "updating" bit below.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • Ensure a checkmark is placed next to both Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware and then click Finish.
  • If an update is found, it will download and install the latest version - you'll need to clear it with your firewall.
  • Once the program has loaded, select Perform full scan and then Scan.
  • When the scan has finished, click OK and then Show Results to view the results - no surprise there!
  • If MBAM finds anything, check the box(es) and click Remove Selected.
  • Please note - Leave unchecked any boxes that have \System Volume Information\ in the filepath. These pose no immediate risk to your PC unless you use System Restore and will be dealt with later.
  • When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
Let me have the MBAM log, a fresh DDS log AND a description of how your PC is behaving.

So long, and thanks for all the fish.

 

 


#5 G-pop

G-pop
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:26 AM

Posted 27 November 2010 - 10:17 AM

The PC is now back to normal thanks to you - my grandaughter and I are very grateful :-)


DDS (Ver_10-11-10.01) - NTFSx86
Run by HP_Owner at 7:05:36.89 on Sat 11/27/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.703.148 [GMT -8:00]

AV: McAfee Anti-Virus and Anti-Spyware *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\lxdxcoms.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\mfevtps.exe
C:\Program Files\McAfee Online Backup\MOBKbackup.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hphmon06.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iConcepts Music Express\MEAutoDetect.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\HP_Owner\Desktop\fixit stuff\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.bing.com/?pc=ZUGO&form=ZGAPHP
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20101122122049.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: HP view: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} - c:\program files\hp\digital imaging\bin\HPDTLK02.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [iTunesHelper] c:\program files\itunes\iTunesHelper.exe
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [HPHUPD06] c:\program files\hp\{aac4fc36-8f89-4587-8dd3-ebc57c83374d}\hphupd06.exe
mRun: [HPHmon06] c:\windows\system32\hphmon06.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [AlcxMonitor] ALCXMNTR.EXE
mRun: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
mRun: [PS2] c:\windows\system32\ps2.exe
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autode~1.lnk - c:\program files\iconcepts music express\MEAutoDetect.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\spysub~1.lnk - c:\program files\intermute\spysubtract\SpySub.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\update~1.lnk - c:\program files\updates from hp\309731\program\Updates from HP.exe
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: microsoft.com\*.windowsupdate
Trusted Zone: microsoft.com\windowsupdate
Trusted Zone: windowsupdate.com
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxps://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1290377486986
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1290489321421
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-3-25 386840]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-11-22 84072]
R1 MOBKFilter;MOBKFilter;c:\windows\system32\drivers\MOBK.sys [2010-11-22 54776]
R2 lxdx_device;lxdx_device;c:\windows\system32\lxdxcoms.exe -service --> c:\windows\system32\lxdxcoms.exe -service [?]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2010-11-21 88176]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-11-22 271480]
R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-11-22 271480]
R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-11-22 171168]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-11-22 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2010-11-22 141792]
R2 MOBKbackup;McAfee Online Backup;c:\program files\mcafee online backup\MOBKbackup.exe [2010-4-13 229688]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-11-22 152960]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-11-22 52104]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-11-22 313288]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-11-22 88544]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-11-22 55840]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-11-22 88544]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-11-22 84264]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2010-11-21 34248]

=============== Created Last 30 ================

2010-11-27 14:57:17 54016 ----a-w- c:\windows\system32\drivers\kjdny.sys
2010-11-27 03:52:40 -------- d-----w- c:\docume~1\hp_owner\applic~1\Malwarebytes
2010-11-27 03:52:28 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-27 03:52:25 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-27 03:52:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-27 00:41:07 -------- d-----w- c:\docume~1\hp_owner\locals~1\applic~1\Adobe
2010-11-26 15:41:30 -------- d-----w- c:\docume~1\hp_owner\locals~1\applic~1\PCHealth
2010-11-26 15:40:58 -------- d-----w- C:\f90517e8f34c8cdebc7f
2010-11-26 15:40:52 -------- d-----w- C:\f02c4feeaeed5cd96c
2010-11-26 15:30:31 7168 ----a-w- c:\windows\InstFunc.dll
2010-11-26 15:30:31 49152 ----a-w- c:\windows\system32\SiSPower.dll
2010-11-26 06:51:02 -------- d-----w- c:\windows\system32\wbem\repository\FS
2010-11-26 06:51:02 -------- d-----w- c:\windows\system32\wbem\Repository
2010-11-26 06:43:13 -------- d-----w- c:\windows\system32\CatRoot_bak
2010-11-24 16:01:13 65536 ----a-w- c:\windows\system32\sis760.bin
2010-11-24 16:01:13 65536 ----a-w- c:\windows\system32\sis741.bin
2010-11-24 16:01:12 49152 ----a-w- c:\windows\system32\sis660.bin
2010-11-24 15:46:25 -------- d-----w- c:\windows\system32\scripting
2010-11-24 06:06:28 -------- d-----w- c:\program files\MSXML 6.0
2010-11-24 05:31:15 272128 ----a-w- c:\windows\system32\drivers\bthport.sys
2010-11-24 05:31:15 272128 ------w- c:\windows\system32\dllcache\bthport.sys
2010-11-24 05:30:18 454016 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2010-11-24 05:28:45 2137088 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-11-24 05:28:42 2181376 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-11-24 05:28:39 2016768 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-11-24 05:28:37 2058368 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe
2010-11-24 05:26:38 599040 ------w- c:\windows\system32\dllcache\msfeeds.dll
2010-11-24 05:26:38 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-11-24 05:26:37 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2010-11-24 05:26:35 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2010-11-24 05:26:34 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll
2010-11-24 05:26:32 1985536 ------w- c:\windows\system32\dllcache\iertutil.dll
2010-11-24 05:26:24 11076096 ------w- c:\windows\system32\dllcache\ieframe.dll
2010-11-24 05:09:41 19569 ----a-w- c:\windows\005372_.tmp
2010-11-24 05:09:41 19569 ----a-w- c:\windows\002704_.tmp
2010-11-24 05:09:34 19456 ----a-w- c:\windows\system32\dimsntfy(2)(2).dll
2010-11-24 05:02:40 -------- d-----w- c:\windows\system32\PreInstall
2010-11-24 04:58:48 21728 ----a-w- c:\windows\system32\wucltui.dll.mui
2010-11-24 04:58:48 17632 ----a-w- c:\windows\system32\wuaueng.dll.mui
2010-11-24 04:58:47 15072 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2010-11-24 04:58:46 15064 ----a-w- c:\windows\system32\wuapi.dll.mui
2010-11-24 04:58:46 -------- d-----w- c:\windows\system32\SoftwareDistribution
2010-11-24 04:09:07 89088 ----a-w- c:\windows\MBR.exe
2010-11-24 04:09:07 256512 ----a-w- c:\windows\PEV.exe
2010-11-24 04:09:06 98816 ----a-w- c:\windows\sed.exe
2010-11-24 04:09:06 161792 ----a-w- c:\windows\SWREG.exe
2010-11-24 03:35:32 723294 ----a-w- c:\windows\unins000.exe
2010-11-24 03:35:15 -------- d-----w- c:\program files\Quick Web Player
2010-11-24 02:49:40 76440 ----a-w- c:\windows\system32\drivers\pxrts.sys
2010-11-24 02:49:38 -------- d-----w- c:\program files\Prevx
2010-11-24 02:49:12 -------- d-----w- c:\docume~1\alluse~1\applic~1\PrevxCSI
2010-11-24 01:48:36 -------- d-----w- c:\docume~1\hp_owner\applic~1\McAfee
2010-11-23 19:25:01 -------- d-----w- c:\program files\McAfeeMOBK
2010-11-23 19:08:56 -------- d-sh--w- c:\documents and settings\hp_owner\IECompatCache
2010-11-23 05:08:45 -------- d-sh--w- c:\documents and settings\hp_owner\PrivacIE
2010-11-23 05:02:30 -------- d-sh--w- c:\documents and settings\hp_owner\IETldCache
2010-11-23 04:24:21 917504 ----a-w- c:\windows\system32\FLASH.OCX
2010-11-23 04:22:29 -------- d-----w- c:\docume~1\hp_owner\applic~1\Azureus
2010-11-22 23:11:32 54776 ----a-w- c:\windows\system32\drivers\MOBK.sys
2010-11-22 23:11:19 -------- d-----w- c:\program files\McAfee Online Backup
2010-11-22 20:20:48 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-11-22 20:20:34 141792 ----a-w- c:\windows\system32\mfevtps.exe
2010-11-22 20:20:22 84072 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2010-11-22 20:20:21 95600 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-11-22 20:20:21 88544 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2010-11-22 20:20:21 84264 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-11-22 20:20:21 52104 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-11-22 20:20:21 313288 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-11-22 20:20:21 152960 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-11-22 20:20:20 55840 ----a-w- c:\windows\system32\drivers\cfwids.sys
2010-11-22 20:05:54 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2010-11-22 20:05:54 25856 ----a-w- c:\windows\system32\dllcache\usbprint.sys
2010-11-22 19:51:24 87040 ----a-w- c:\windows\system32\wiafbdrv.dll
2010-11-22 19:51:24 87040 ----a-w- c:\windows\system32\dllcache\wiafbdrv.dll
2010-11-22 19:51:23 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2010-11-22 19:51:23 15104 ----a-w- c:\windows\system32\dllcache\usbscan.sys
2010-11-22 04:02:42 -------- d-----w- c:\program files\common files\McAfee
2010-11-22 04:02:38 -------- d-----w- c:\program files\McAfee.com
2010-11-22 04:01:40 -------- d-----w- c:\program files\McAfee
2010-11-22 03:59:59 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2010-11-21 23:07:49 19569 ----a-w- c:\windows\005226_.tmp
2010-11-21 23:07:39 26144 ----a-w- c:\windows\system32\spupdsvc.exe
2010-11-21 22:31:49 331805736 ----a-w- c:\program files\Malwarebytes' Anti-Malware.lnk
2010-11-21 21:15:47 -------- d-----w- c:\docume~1\hp_owner\applic~1\Uniblue
2010-11-21 21:14:18 -------- d-----w- c:\program files\Uniblue
2010-11-21 21:13:43 -------- d-----w- c:\docume~1\hp_owner\locals~1\applic~1\PackageAware
2010-11-21 20:14:14 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-11-21 20:14:13 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-10-31 00:28:23 -------- d-sh--w- c:\documents and settings\hp_owner\UserData
2010-10-30 19:52:18 -------- d-sha-r- C:\cmdcons
2010-10-30 19:52:08 -------- d-----w- c:\windows\setupupd
2010-10-30 19:50:20 221184 ----a-w- c:\windows\system32\wmpns.dll
2010-10-30 19:47:02 184320 ------w- c:\windows\system32\SiSApCom.dll
2010-10-30 19:47:02 110592 ------w- c:\windows\system32\TVMode.dll
2010-10-30 19:46:46 331776 ----a-w- c:\windows\system32\sistray.exe
2010-10-30 19:46:43 -------- d-----w- c:\windows\system32\trayres
2010-10-30 18:26:22 21504 ----a-w- c:\windows\system32\hidserv.dll
2010-10-30 18:26:22 21504 ----a-w- c:\windows\system32\hidserv(3).dll
2010-10-30 18:26:22 21504 ----a-w- c:\windows\system32\hidserv(2).dll
2010-10-30 18:26:21 14848 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2010-10-30 18:26:18 9600 ----a-w- c:\windows\system32\drivers\hidusb.sys
2010-10-30 18:26:16 31616 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2010-10-30 16:47:03 -------- d-sh--r- c:\windows\system32\dllcache
2010-10-30 16:24:21 -------- d-----w- c:\docume~1\alluse~1\applic~1\WSTB

==================== Find3M ====================

2010-11-24 15:50:24 44032 ----a-w- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\hpq\xpxwwpp5\localcontent\attachments\devcon.exe
2010-11-24 15:50:23 307200 ----a-w- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\hpq\xpxwwpp5\plugin\bin\pchnotify.exe
2010-11-24 15:50:19 3072 ----a-w- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\hpq\xpxwwpp5\plugin\bin\jsharpde\pchealthde.exe
2010-11-24 15:50:18 159744 ----a-w- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\hpq\xpxwwpp5\plugin\bin\PCHButton.exe
2010-11-24 15:50:16 77824 ----a-w- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\hpq\xpxwwpp5\plugin\bin\FDIWrapper.dll
2010-11-24 15:50:16 26572 ----a-w- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\hpq\xpxwwpp5\plugin\bin\jsharpde\INV16.dll
2010-11-24 15:50:14 69632 ----a-w- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\hpq\xpxwwpp5\plugin\bin\jsharpde\msxmlwrapper.dll
2010-11-24 15:50:14 40960 ----a-w- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\hpq\xpxwwpp5\plugin\bin\ScDmi.dll
2010-11-24 15:50:10 49152 ----a-w- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\hpq\xpxwwpp5\plugin\bin\PCHI18N.dll
2010-11-24 15:50:06 139264 ----a-w- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\hpq\xpxwwpp5\plugin\bin\ContentUpdater.exe
2010-11-24 15:50:03 110592 ----a-w- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\hpq\xpxwwpp5\plugin\bin\DSAPI4.dll
2005-07-30 09:46:26 774144 -c--a-w- c:\program files\RngInterstitial.dll

============= FINISH: 7:07:36.35 ===============

Attached Files


Edited by Noviciate, 27 November 2010 - 05:08 PM.


#6 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:12:26 PM

Posted 27 November 2010 - 05:11 PM

Good evening. :)

You have a couple of entries in your log that point to files on your PC that I would like to have checked - if they are still present.

Please go to Jotti's and click on the Browse... button at the top and navigate to the following files in turn, and then click on Submit:

c:\windows\system32\drivers\kjdny.sys
c:\windows\system32\hidserv.dll


When all the scans have been completed, for each file in turn, please copy and paste the "Permalink" that you'll find in the "Jotti's malware scan" box in the upper left hand part of the page into your next reply.

If this site is busy, try VirusTotal: Click the Browse ... button, navigate to the file and double click it and then click the Send button.

You may need to set Windows to show All Hidden Files and Folders - Instructions can be found here.
* These files are hidden to stop you accidentally removing something important.
It is advisable to hide them again after you have done.
*

So long, and thanks for all the fish.

 

 


#7 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:12:26 PM

Posted 04 December 2010 - 03:42 PM

As there has been no response for five days this thread is now closed.

So long, and thanks for all the fish.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users